Saudi Arabia’s National Cybersecurity Authority (NCA) has rolled out updated minimum cybersecurity controls for private sector organizations, whether they’re classified as Critical National Infrastructure (CNI) or Non-CNI. Understanding the differences is essential for compliance, risk management, and digital resilience.

Saudi Arabia’s National Cybersecurity Authority (NCA) has published a new baseline cybersecurity framework specifically for Non-Critical National Infrastructure (Non-CNI) private sector entities covering 2025–2026. This regulatory update marks a major shift: cybersecurity is now a mandatory compliance obligation for private companies of all sizes operating in the Kingdom — even those without sensitive infrastructure.

The UAE operates three legally distinct data protection regimes—PDPL, DIFC, and ADGM—each tied to sovereign jurisdiction, not geography. This reference explains how those regimes affect cloud sovereignty, data residency, cross-border transfers, and regulator authority for practitioners designing compliant cloud and data architectures.

Complete reference guide to NCA ECC-2:2024, Saudi Arabia's mandatory cybersecurity framework. Covers all 4 domains, 108 controls, compliance scope, key changes from 2018, and official NCA resources. Vendor-neutral, source-based.

This page consolidates official cybersecurity rules and frameworks issued by the Saudi Central Bank (SAMA), relevant to both SAMA-regulated financial institutions and cloud or third-party providers supporting them. It highlights authoritative sources, cloud-relevant sections of the SAMA Cyber Security Framework, and the distinction between official regulatory text and derived interpretations.